I've tried to move many of my passwords to passphrases or use just the first
letters of words in a passphrase. Why could you not, for example, just use the
letter "w" twenty times. Would this be better than a complicated password of
ten letters, numbers and symbols, etc. I'm assuming the technique used to crack
the password cannot tell when each character was correctly chosen. I'm sure
though, that I'm oversimplifying this.

•

In this excerpt from
Answercast #100 I look at cracking passwords and why longer is better.

•

Longer password of repeating characters

Actually, you're not. It's very interesting. When you've got a choice
between making a password longer or making it more complex (in other words,
having it be shorter but more complex) length always wins.

So in your particular case, absolutely, a password of twenty "w's" would be
much more secure than a ten-character password of random characters. Now, of
course, twenty "w's" is a lot easier to remember and maybe somebody shoulder
surfing could more easily see what your password was - but in general for the
kinds of attacks where passwords get cracked, a longer password always
wins.

Hacking a password

Now, one of the things that you mentioned actually reminds me of something
we see on TV shows all the time.

If you pay attention to some of the technology that's used in police shows
or spy thrillers, you'll see that whenever they're trying to crack a password,
the letters of the password will suddenly appear one character at a time. It's
usually a race in time for that last character to appear and the entire
password to get cracked.

You know what? That is not how it works.

You have to get the entire password right at once. There is no way to
discover a password character-by-character. So in your case, with your twenty
"w's", the fact that the first character is "w" doesn't really give any
assistance to a password cracker to have any hope of realizing that, "Oh! The
second character is 'w' and the third character is 'w' and all twenty ..."

It doesn't matter. As far as a password cracker is concerned, you've got
twenty random characters. In your case, you know that they all just happen to
be the letter "w".

So, in general, when it comes down to choosing secure passwords, when it
comes down to choosing passwords that you can remember and are still secure, by
all means, go for a longer password if the system you're using will allow you
to do so.

Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.

Not what you needed?

You may also be interested in:

How long
should a password be? For years, the standard practice has been to assume
that eight-character passwords made up of sufficiently random characters was
enough. Not any more.

What's a good
password? Good passwords are hard to crack and hard to remember. As a
result, many people don't use really good passwords, even though they should.
We'll look at what makes a good password, and some ways to make them easier to
remember.

13 Comments

Mike
March 31, 2013 12:49 AM

This advice should come with one caveat: these days hackers seldom use pure brute force right away, or old-school rainbow attacks, both of which would probably never find a password like 20 w's.
As I read in an article on ars-technica.com recently, these days they have lists with commonly-used patterns, and I'm guessing that using such a list any reasonable amount of w's repeated (whether 12, 16, 20 or some other number) will be found within seconds.
The solution would be fairly straightforward: try not to use a pattern; my vote goes to completely randomized strings of passwords like you can get here, and that's a pain to remember, so I simply use one such password for my password locker and simply let the password locker remember them for me.

Rahul
March 31, 2013 6:21 AM

This explanation assumes the password length is known. Is it possible that the hacker knows the length of the password beforehand?

If not, then even the list will have to include many more entries to try out.

Typically, no, the hacker has no idea what the length of the password is.

02-Apr-2013

Peregrinesea
March 31, 2013 9:52 AM

This raises an interesting question. Many years ago, I changed a password on a file that contained the office budget (on a secure system). I found that afternoon I couldn 't open the file. I also found I couldn't open the backup either. Since I was taking two weeks off for the Christmas holidays, I got permission from the security guys to approve a brute force password finder to find the password. When I came back to work, lo and behold the sw had found the password. I immediately changed the password back to 12 characters with appropriate backup, then analyzed the stats. I don't remember the exact number but there billions of combinations. When I looked at the decrypted passwodd, it was exactly what I had put in. Still haven't figured this one out.

mike
March 31, 2013 10:49 AM

I have a question that I've asked on another site before, but never got a satisfactory answer. Hear me out here--why does it matter how long my password is? Let's say for example I choose a password with a length of only one character. If the person trying to guess my password doesn't KNOW it's only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is--if the hacker doesn't know the LENGTH of my password, shouldn't a one character password have the same chance of being cracked as a 13 character password?

No. Brute force attacks start somewhere, running through all possible passwords. It's extremely possible with current hardware for certain types of attacks to try all possible 8-character passwords. That is NOT the case for, say, 12 and certainly not for 20 character passwords. Hence, longer is better. Longer also gives us the opportunity to use phrases we can more easily remember.

02-Apr-2013

Mark J
March 31, 2013 10:54 AM

I'm glad you mentioned that about how the movies show a password being cracked. It always cracked me up watching this. Like in the movie Sneakers with Robert Redford the numbers magically appeared in random order each in the correct position.

Mike Devlin
March 31, 2013 6:35 PM

Passphrases are the way to go. This xkcd cartoon completely changed the way I think about security: http://xkcd.com/936/

When choosing a password, if possible I pick a passphrase that invokes a funny, memorable image, much like the cartoon.

(Also, I use two-factor authentication if it's available...that can save your butt, even if you choose a bad password.)

DaGeek247
April 2, 2013 8:57 AM

"mike
March 31, 2013 10:49 AM
I have a question that I've asked on another site before, but never got a satisfactory answer. Hear me out here--why does it matter how long my password is? Let's say for example I choose a password with a length of only one character. If the person trying to guess my password doesn't KNOW it's only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is--if the hacker doesn't know the LENGTH of my password, shouldn't a one character password have the same chance of being cracked as a 13 character password?"

The answer is simple. Suppose you chose to use a single character for say, your WiFi password. Someone else comes along, and decides to crack your WiFi (for whatever reason). Now assuming you are using WPA2-PSK on your router, they will spend about half an hour getting the stuff they need to actually start cracking your WiFi password.

After that, they will spend (assuming they are not stupid) two hours using a dictionary attack on your WiFi. They will come up short (probably), and switch to a brute force attack, which will crack it in about a minute.

That's if they just aren't stupid. A great cracker will have a better password dictionary, and crack your WiFi in about half an hour.

This applies to any sort of password security, and the basic methods work in very much the same way. Anybody with a easy to find password cracker and good dictionary list will get into whatever security system you set up in an extremely speedy manner.

GREG JACKSON
April 2, 2013 1:00 PM

I use the method @Mike [March 31, 2013]refers to.
I keep a link shortcut on my desktop just for this reason. Perhaps a visit to GRC's page will provide a good learning experience for many. Also, take the time to review GRC's “Password Haystacks” link at the very top of the page, below the header.
https://www.grc.com/passwords.htm

connie
April 2, 2013 1:30 PM

@DaGeek247,
I don't think they sit there and type in passwords hoping to guess it. I think they have programs that run through a list of most likely things. It's so fast to run through one symbol, then combinations of two, then combinations of three that they do that first. You'd be hacked in a heartbeat.

Dennis Kelley
April 2, 2013 3:02 PM

What if I hit the space key 27 times (keep it odd and not even). No number, or letters. On one password strength site I got a +108 score.

snert
April 2, 2013 6:04 PM

one of my passwords is a 20 digit combo of numbers (top row) and letters (second row). I skip keys in a easily remembered sequence. I toss the shift key into the mix in, a number/letter - shift/number/letter - no shift... etc, something easy for me to remember with a rhythm to it -1,2,3 -1,2,3... and one could pick any rows to use.

Gordon
April 5, 2013 4:53 AM

"mike
March 31, 2013 10:49 AM
I have a question that I've asked on another site before, but never got a satisfactory answer. Hear me out here--why does it matter how long my password is? Let's say for example I choose a password with a length of only one character. If the person trying to guess my password doesn't KNOW it's only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is--if the hacker doesn't know the LENGTH of my password, shouldn't a one character password have the same chance of being cracked as a 13 character password?"

DaGeek247 gave a good answer for this, as did Leo (good to see you back!). I have a little more to add.

Remember that, for every character you add, the number of possible combinations increases exponentially. For a simple example, assume that you have a 5 character password, and only numbers can be used (this is just an example that illustrates what I'm talking about; don't use a number only password unless you are forced to, like with a PIN!). So you have 10 to the power of 5 (10^5) possible combinations, which is 100,000. Now if you add one more digit, you have 10^6 possible combinations, or 1,000,000. So it will take a hacker one tenth of the time to guess all possible 5 digit combinations as it will to guess all possible 6 digit combinations. So they will of course start with all possible 5 digit combos before moving to 6.

But mike was asking about a 1 digit combination. Essentially his question is "won't the sum of all 1,2,3,4, and 5 digit combos be more than the 6 digit combos?" And the answer is no. In our example, each additional character in the password adds 10 times more possible combinations than the last number of characters. So the sum of all 1,2,3,4 and 5 digit passwords is 111,111, which is still just a little more than one tenth of the number of 6 digit passwords. This is why the hacker starts will smaller passwords before moving to larger.

Gordon
April 5, 2013 5:15 AM

I forgot to mention, though, that I like the fact that mike is thinking about this. We should always be thinking and questioning what we read and hear, especially on the internet.

" Dennis Kelley
April 2, 2013 3:02 PM
What if I hit the space key 27 times (keep it odd and not even). No number, or letters. On one password strength site I got a +108 score"

I'm pretty sure some places won't accept spaces in passwords, and some will truncate them. I have a piece of software at work that ignores spaces at the beginning and end of passwords. I would avoid using spaces in passwords.

Now back to the article: This concept of lengthening your password has been spoken about a lot. Someone else mentioned Steve Gibson's password strength analysis tool (www.grc.com/haystack.htm), where there is also a lot of info. But we need to be a little cautious. Yes, longer passwords are the most important part of our defense against brute force hacking. But a string of 20 w's is probably not a good one. Why? Because a hacker doesn't start with brute force. He starts with a dictionary attack, because that is so much more likely to yield a result. And any good password dictionary will contain such simplistic passwords, even out to 20 or more characters, because they are more likely to yield something, and it takes a trivial amount of time to search for them. The sum of all repeating character passwords, up to 100 repeated characters, is 95x100= 9500, a small number indeed. It would be faster to search those than to search all possible 3 character passwords.

As more people start lengthening their passwords by adding on padding, the hackers will improve their searching to incorporate these things. Yes, it will be harder for them, but not as hard as it seems from just running the numbers. And like Leo pointed out, at some point it will be easier for the hacker to just look over your shoulder and see you hitting QQQQQQ.

•

Comments on this entry are closed.

If you have a question, start by using the search box up at the
top of the page - there's a very good chance that
your question has already been answered on Ask Leo!.